1.2 Social Engineering Attacks

hoax

a false claim to entice somebody to take a desired action. For example, an attacker might claim that you have won something or that they want to buy something from you so you will provide personal information, such as your Social Security number or bank account information.

whaling

a type of spear phishing that targets high-profile individuals, such as executives at public companies. Whaling attackers often take pains to learn a lot about their targets and successful attacks can yield much higher gains than other phishing attacks.

impersonation

an attack where a malicious person attempts to impersonate a legitimate person or entity. Impersonation attacks can occur over email, over the web or in person.

dumpster diving

attackers simply sift through trash dumpsters looking for personal or sensitive information that they could use to carry out spear phishing or other attacks or enable them to steal somebody's identity. Attackers often look for electronic waste, too, such as disk drives, USB sticks and backup tapes.

why are social engineering attacks effective?

authority, intimidation, consensus, scarcity, familiarity, trust, and urgency

vishing

phishing by telephone. While some people refer to this as phishing, vishing is the official term. With vishing, the goal is to gain sensitive or personal information from the person answering the phone. Often, the caller will impersonate another person, attempt to sound important and have a reason for requests to be expedited.

spear phishing

phishing that targets an individual or a small group of people. Typically, spear phishing attacks are more sophisticated than mass phishing attacks; the attackers often know more about their targets and often stand to gain more if the target is compromised.

phishing

the act of trying to deceive somebody to give up personal information or sensitive information. There are three avenues for phishing attacks: email, telephone, and in person.

social engineering

the art of deceiving people. Attacks happen via email, over the phone and in person. Social engineering is one of the most dangerous types of attacks because it has a high success rate.

watering hole attack

typically targets a specific company. The attacker learns of websites that the company frequents (their watering holes) and attempts to place malware on those sites in hopes that someone at the company will get infected. Lesser known watering hole attacks can occur in person — an attacker might place infected USB sticks at the IT helpdesk or support area in a box with a sign reading, "Free USB sticks."

shoulder surfing

when a person secretly watches the computer screen or keyboard of another user. It is an easy way to obtain passwords, logon methods and other sensitive information.

tailgating

when someone follows an authorized person into a restricted area, such as a corporate office building, without providing their own credentials, such as swiping their keycard. Tailgating attacks are dangerous because they give attackers physical access to your environment and computers.